Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Will Give a Search Edge To Websites That Use Encryption

Posted by timothy on from the bit-of-an-incentive dept.

As TechCrunch reports, Google will begin using website encryption, or HTTPS, as a ranking signal – a move which should prompt website developers who have dragged their heels on increased security measures, or who debated whether their website was “important” enough to require encryption, to make a change. Initially, HTTPS will only be a lightweight signal, affecting fewer than 1% of global queries, says Google. ... Over time, however, encryption’s effect on search ranking [may] strengthen, as the company places more importance on website security. ... While HTTPS and site encryption have been a best practice in the security community for years, the revelation that the NSA has been tapping the cables, so to speak, to mine user information directly has prompted many technology companies to consider increasing their own security measures, too. Yahoo, for example, also announced in November its plans to encrypt its data center traffic.

21 of 148 comments (clear)

  1. Great step! by satuon · · Score: 5, Interesting

    That's a really great step from Google, I had never thought that it can be done in such a neat way. What's next? Can they also do it for IPv6?

    1. Re: Great step! by Nexus+Unplugged · · Score: 3, Informative

      CloudFlare has also announced that they're planning to roll out free SSL to customers in the coming months.

    2. Re: Great step! by petermgreen · · Score: 4, Informative

      They do BUT

      1: their rules on who can get the free certs seem to be varied and arbitary. I've seen reports of an opensource developer being given a free cert initially but then come renewal time told that merely having a donation button makes their site count as "ecommerce" and therefore ineligable
      2: they make the expiry artifically short (the CA industry as a whole does this but startSSLs free certs are epecially bad),
      3: they refuse to renew certs until just before they expire and refuse to reissue certs without revoking the old one.
      4: each free cert only covers a domain and one hostname under that domain (e.g. bar.com and foo.bar.com). This effectively means you end up needing one IP per hostname you want SSL on (until IE on XP becomes insignificant anyway).

      It's nice that there is a free (as in beer) option for some people but it's also clearly got a number of artificial restrictions on it to push people towards their paid options.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    3. Re: Great step! by Rich0 · · Score: 4, Informative

      StartSSL still give out free certificates to individuals right?

      Yes, as long as you don't change your certificate after the key is lost as a result of HeartBleed. If you want your users to be secure, then you need to pony up $25. How that isn't a violation of the Mozilla policies is beyond me. I can give StartSSL clear proof that a private key has been disclosed, and they won't revoke it unless somebody pays them to do it.

    4. Re: Great step! by Darinbob · · Score: 4, Insightful

      It's already monetary discrimination, since well design sights with interesting products will show up higher in the rankings than the local mom&pop web site where they could only afford to hire a high schooler to do the design.

      The whole point of ranking is not to make sure everybody is perfectly equal, but to help the customer find the most relevant results. If I'm searching for a bank then I most certainly want a bank with security to be ranked higher than one without. However, I can see the issue that it's only Google who gets to decide what's relevant. Perhaps there should be some user specified criteria, such as letting me decide to show only IPv6 capable sites.

    5. Re: Great step! by heypete · · Score: 3, Informative

      2: they make the expiry artifically short (the CA industry as a whole does this but startSSLs free certs are epecially bad),

      A validity time of one year is pretty standard for SSL certs (paid certs often charge per year). Could they issue them for 20 years? Sure, but a one year validity is not unusual. Class 2 certs are good for two years.

      3: they refuse to renew certs until just before they expire and refuse to reissue certs without revoking the old one.

      I get renewal notices two weeks prior to expiration. That's pretty reasonable. If I recall correctly, I can generate a new cert for my site any time in that two-week period, so I don't need to wait for the cert to expire before replacing it.

      While I wish they allowed free reissuance of certs at any time, I don't really see why requiring revocation is a showstopper.

      4: each free cert only covers a domain and one hostname under that domain (e.g. bar.com and foo.bar.com). This effectively means you end up needing one IP per hostname you want SSL on (until IE on XP becomes insignificant anyway).

      That's also the case for pretty much any of the inexpensive paid certs too. You can always get a wildcard cert but most CAs charge at least $100/year for a single wildcard cert. StartSSL charges $60 for Class 2 validation, and you can issue unlimited certs (wildcard or not). Organizations can get Class 2 certified for $120 ($60 for identity verification, $60 for organization verification) and can issue unlimited certs. For a company needing more than one cert, StartSSL is still cheaper.

      It's nice that there is a free (as in beer) option for some people but it's also clearly got a number of artificial restrictions on it to push people towards their paid options.

      Considering their paid certs are often cheaper than comparable offerings from other CAs, it doesn't really seem unreasonable to me. Doubly so because they're run by competent people who respond promptly to inquiries, even from free users. I've been a StartSSL customer for years (and also used other CAs like GoDaddy, Comodo, Thawte, etc.) and the customer service from StartSSL has always been excellent.

      If you don't want to get a StartSSL cert or they don't meet your needs, that's fine. NameCheap and others sell single-domain Comodo certs for $9/year. RapidSSL certs are a buck or two more per year. That costs less than a single beer at the local bar. Hardly a massive expense.

  2. So now Google establishes Internet standards by neilo_1701D · · Score: 4, Insightful

    I'm not convinced that this is a good precedent. Sure, they're encouraging sites to use HTTPS today... but what about tomorrow?

    Speculation: Websites that block competing search engines from indexing their content may rank higher in Google searches? Websites that process payments using Google rank higher in Google search?

    I'm not saying that HTTPS is a bad thing... but once they open the door once to arbitrary ranking changes done on a whim, that door can be opened again.

    1. Re:So now Google establishes Internet standards by Anonymous Coward · · Score: 3, Insightful

      As opposed to the currently non-arbitrary ranking algorithm? What the hell are you talking about.

    2. Re:So now Google establishes Internet standards by Agent+ME · · Score: 5, Funny

      They've already been using their ranking system to encourage HTTP and HTML. Think of all the poor BBSs and gopher servers they've been discriminating against!

    3. Re:So now Google establishes Internet standards by bill_mcgonigle · · Score: 3, Interesting

      Google has been using dozens of quality metrics for years to adjust its rankings. This isn't a new concept.

      It's not clear to me which HTTPS configurations it's favoring, though. Is Strict Transport Security a requirement? People with high-longevity system needs are going to need to upgrade to EL7 to make good HTTPS feasible, so there will be a transition period.

      As far as standards - look, W3C, IETF, et. al. have completely failed to keep up. From 1993 to 1997 we went from HTTP 0.9 to to HTTP 1.1, which is where we are today. HTTP 2.0 will have been languishing for two decades by time there's a standard and any significant adoption. That's not Internet-time.

      Google has made some mistakes with SPDY and QIC but at least they're actually trying to move the ball down the field instead of just arguing on the sidelines. It used to be that lots of players would do the same thing and fairly quickly a concensus would emerge. We have a serious breakage problem in the current community process. Google is doing it right - it's everybody else that's not.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    4. Re:So now Google establishes Internet standards by Anonymous+Brave+Guy · · Score: 3, Insightful

      While your points about the snail's pace of web "standards" development are fair, it's also important not to go too far the other way. Not so long ago, another browser became dominant in market share through pushing new but not widely supported features its own way, and people started making web sites that were written specifically to work with that browser rather than any common standard.

      That browser was Internet Explorer in the late 1990s, and the result was IE6.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    5. Re:So now Google establishes Internet standards by just_another_sean · · Score: 4, Insightful

      but once they open the door once to arbitrary ranking changes done on a whim, that door can be opened again.

      Was that door ever closed? They're ranking algorithm has been arbitrary since the beginning and has changed very frequently over the years in an effort to reduce gaming the system and to generally improve results. If anything I'd say it's nice that they're at least telling people about this change vs. just quietly adjusting things and leaving site owners to wonder what happened to their page rank.

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
  3. It's about time! by mcrbids · · Score: 4, Interesting

    Expensive advertising campaigns engender trust because it shows that the advertiser has the resources to carry out the campaign. It's why online ads are so commonly ignored - people want to do business with "reputable" companies and expensive advertising is a way of establishing repute.

    Similarly, putting out the modicum of effort to perform basic security like SSL is a signal that the website is reputable. I mean, if you can't be bothered to buy a $50 SSL certificate and install it, are you *really* trustworthy?

    SSL should be a basic signal of trustworthiness.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re:It's about time! by WaffleMonster · · Score: 3, Interesting

      Similarly, putting out the modicum of effort to perform basic security like SSL is a signal that the website is reputable. I mean, if you can't be bothered to buy a $50 SSL certificate and install it, are you *really* trustworthy?

      LOL and here I thought all this time the Internet was supposed to reduce costs and barriers to competition... yet here we go "the higher the fewer".

      When your making the big bucks off Google by operating industrial scale link farms $50/year is a small price to pay for success.

      Someone please remind me again why we are even contemplating enriching the clusterfuck that is the CA industry which sees no problem with use of completely automated systems and non-existent documentation requirements prior to issuing certificates?

  4. Cat blog by ZipK · · Score: 3, Insightful

    So my cat picture blog will rank lower than a competitor's SSL encrypted cat picture blog, even though neither of us require you to log in or even prove you are a cat?

    1. Re:Cat blog by Cyberdyne · · Score: 4, Informative

      Still, HTTPS would at least prevent your ISP from monitoring your browsing activity.

      That's part of it - a valuable enough part in itself, IMO; at least one UK ISP, TalkTalk, has started duplicating HTTP requests made by their customers: so, if you request http://example.com/stuff on one of their lines, 30 seconds later they'll go and request the same URL themselves for monitoring purposes. Obviously, enabling SSL prevents this kind of gratuitous stupidity - and the previous incarnation of such snooping, Phorm. If enough websites enable SSL, ISPs will no longer have the ability to monitor customer behavior that closely, all they will see are SSL flows to and from IP addresses, and whatever DNS queries you make to their servers, if any. (Use encrypted connections to OpenDNS or similar, and your ISP will only ever see IP addresses and traffic volume - exactly as it should be IMO!)

    2. Re:Cat blog by IamTheRealMike · · Score: 5, Informative

      Yes, for news and such it doesn't make that much sense. Still, HTTPS would at least prevent your ISP from monitoring your browsing activity.

      It's actually a lot more than that. HTTPS isn't just about protecting passwords anymore, not post Snowden.

      Let us recall one of the more interesting things we learned about SSL via the NSA leaks: the Five Eyes countries apparently have not broken SSL yet despite that the internet is still not capable of stopping them. The reason is a system they've built called QUANTUM.

      QUANTUM is a series of systems that work together. Imagine it like being a giant set of guard towers on the internet backbone. QUANTUM is called that because it's based on deep packet inspection and insertion. The first part is a massive set of DPI devices that trawl unencrypted internet traffic passing through intercept points. These DPI devices can be configured by NSA/GCHQ analysts to look for selectors - personal identifiers like email addresses, IP addresses, cookies and so on. QUANTUM does not run on every internet link and cannot see through encrypted traffic, but that doesn't matter: it's like a searchlight crawling the grounds of a prison at night. It doesn't matter that it can't light up everywhere simultaneously - once tasked it will keep searching until it finds you. Given enough time and good selectors, it will always find you, simply because the average internet user makes many different unencrypted connections to many different websites.

      Once QUANTUM locates an un-SSLd traffic stream that matches your selectors, the next step begins, this is called QUANTUM INSERT. You see these DPI devices are not only capable of reading traffic but also injecting packets directly onto the backbone as well. This allows them to race legitimate answers from the real servers, and redirect the victim to an entirely different server (this is probably based on racing DNS lookups although I think the leaked docs were fuzzy on this aspect). These races are called "shots" and interestingly, they don't always succeed - sometimes the NSA is slower than the real server. But QUANTUM keeps trying and eventually you end up connected to this new FOXACID server, which then proceeds to act as an HTTP proxy for the real request and injects an exploit kit. That then pwns your system such that the NSA can now see all your encrypted traffic, along with turning on your microphone and so on.

      An observant reader will notice something very important about the above description. The longer you can stay in the SSLd web, the longer it will take for QUANTUM to hack you. That means you directly benefit from a website being SSLd even if all it contains is cat pictures and you don't even log in. Once QUANTUM has figured out your IP address, any non-SSLd HTTP connection is a useful foothold.

  5. OK fine but give us a free CA by Cthefuture · · Score: 5, Insightful

    I have no technical problem switching every website/server I have to SSL but the actual problem is the price of all those SSL certs. Most of my sites are just hobby type sites that I run for my own enjoyment and to benefit others (quite a few "others" I should mention; some of my sites are very popular). However, I don't make any money off these, in fact it already costs me money to run them.

    Now you want me to add SSL so that people can still find my relevant and useful information? Well, OK but how the hell am I suppose to pay for it? SSL server certs are expensive. The whole thing is a scam to make the few "official" CA's rich. How about some sort of official public service that can hand out server certs of every registered domain? Every domain should come with an unlimited supply of SSL certs or at least a wildcard cert and a renewal service, free of charge.

    --
    The ratio of people to cake is too big
    1. Re:OK fine but give us a free CA by RobinH · · Score: 3, Insightful

      Agreed, if Google wants to do this, maybe they should also become a free Certificate Authority. Wouldn't that tick off the Verisigns of the world...

      --
      "I have never let my schooling interfere with my education." - Mark Twain
  6. Android Browser 2.x and IE/XP lack SNI by tepples · · Score: 4, Informative

    I mean, if you can't be bothered to buy a $50 SSL certificate and install it, are you *really* trustworthy?

    It's not only the cost of a certificate, which StartSSL provides without charge to individuals. It's also a dedicated IPv4 address if you want to reach people still using Android 2 or Windows XP. A lot of entry-level hosting packages use name-based virtual hosting, and doing this over name-based virtual hosting requires the TLS stack to support Server Name Indication (SNI). Android Browser didn't gain support for SNI until Honeycomb (3.x) on tablets and ICS (4.0) on phones, and Internet Explorer didn't gain support for SNI until Windows Vista.

  7. HTTP-only ad networks by tepples · · Score: 3, Informative

    Slashdot makes HTTPS available only to subscribers because historically, web ad networks haven't supported HTTPS. Only in September 2013 did Google AdSense roll out HTTPS support.